Web Analytics Privacy Alphabet Soup: GDPR, CCPA, ePrivacy, VCDPA, ROPA

Clicky will be 20 years old in a few months. We've watched every privacy law show up, and have had to keep our own tracking compliant through all of it. We know exactly what counts as personal data in web analytics, what each privacy law requires, whether it applies to you, and what it means for your web analytics setup.

GDPR

GDPR applies if you process data belonging to anyone in the EU, no matter where your company sits. An IP address counts as personal data under GDPR, so the moment your analytics tool logs a raw IP from an EU visitor, you need a lawful basis for that. Consent is one basis. "Legitimate interest" is the other.

The simplest fix isn't a longer privacy policy; it's not collecting anything that counts as personal data in the first place. That means no cookies, no persistent visitor IDs, and anonymized IPs. That's how Clicky runs by default. It's not a workaround, it just entirely removes the thing GDPR is regulating, so you don't have to worry about it.

ePrivacy / PECR

Every cookie banner you've ever clicked through comes from ePrivacy or PECR, not GDPR. GDPR sets the bar for what valid consent looks like. ePrivacy (PECR in the UK) decides whether you need consent at all, and it's triggered by anything stored on or read from a visitor's device: cookies, local storage, etc.

It's a narrower trigger than you might think. A tool that never touches browser storage doesn't need a banner for it, because there's nothing on the device to get consent for. If your current analytics setup forces a cookie banner just to count visits, this is the law doing that, not GDPR.

CCPA

The California Consumer Privacy Act kicks in if you hit one of three thresholds: roughly $26.6 million in annual revenue (it adjusts for inflation most years), 100,000 or more California consumers whose data you buy, sell, or share, or half your revenue coming from selling personal data. That middle one is what catches most sites off guard, as it counts visitors tracked through cookies or ad pixels, not just customers. A mid-traffic blog running GA alongside a Meta pixel can cross that easily without anyone noticing.

CCPA's definition of "sale" and "share" is broad enough to include handing visitor data to ad and attribution platforms, even with no money changing hands. Fewer third parties touching that data means fewer sale-and-share questions to answer. If your analytics doesn't pass anything downstream to ad networks, this gets a lot simpler.

See how Clicky handles this by default →

VCDPA and the state law wave

Virginia's law was the template most other states copied instead of California's. It applies once you process 100,000 Virginia residents' data a year, or 25,000 while getting over half your revenue from data sales. No separate revenue-only trigger like CCPA, and only the state AG can enforce it (no private lawsuits).

Colorado, Connecticut, Utah, and about 15 other states have since built laws on that same structure, which thankfully means you don't really need a separate mental model per state. But analytics that avoids third-party data sharing and doesn't hold onto identifiers longer than necessary clears most of what this entire category asks, state by state, without reading 20 statutes.

ROPA

This one isn't a law, it's paperwork that the GDPR requires under Article 30 once you process personal data at any real scale: an inventory of what you collect, why, where it lives, who else sees it, how long you keep it. Most site owners have never heard of it, which is a problem, because it's usually the first thing a regulator asks for.

Your analytics tool goes on that list, along with any ad pixel or CRM touching visitor data. A spreadsheet covers it for a small business. The upside of cookie-free analytics shows up here too: no cookies, no cross-site IDs, nothing sold, means a short entry instead of a page explaining a dozen data flows.

Consent management

If you're running anything that needs a consent banner, that's a job for a consent management platform like Cookiebot or OneTrust, not your analytics tool. They handle the banner UI, log consent choices, and block scripts until a visitor opts in.

Analytics tells you what happened on your site, whereas consent management controls what's allowed to run before it happens. But if your analytics doesn't need consent in the first place, then you've got one less thing to worry about.

Bottom line

Every law above asks a version of the same question: how much personal data are you collecting, and who else gets it. Cut the cookies, cut the third-party sharing, and you shrink your exposure to GDPR, ePrivacy, etc, all at once. That's the whole reason Clicky ships cookie-free by default instead of as a setting you have to enable.

Try Clicky's cookie-free tracking today →

FAQ

Does GDPR apply if I don't have EU visitors?

No, but there is no way to guarantee you won't have EU visitors in the future, unless you have some kind of filter in place to block them entirely.

Do I need a cookie banner if I use Clicky?

Clicky doesn't set tracking cookies by default, so it doesn't trigger that requirement on its own. Other tools on your site that do set cookies still need one.

Do small sites need to worry about any of this?

While CCPA and VCDPA both have volume or revenue thresholds, the GDPR has no size floor and applies to every site that gets even a single EU visitor. At the

← Blog homepage